WordPress DDoS Exploit killing lighttpd php-fastcgi?

linuxthefish

I've got loads of requests from wordpress pingback URL's to / on my server, and it's crashing lighttpd with mega high load! Anyone knows a fix for this?

I've tried "iptables -I INPUT -p tcp -s 0.0.0.0/0 -m string --string "Wordpress" --algo bm -j DROP" but no luck.

Last bits of my webserver log:

All from different IP's and URL's...

noosVPS

Yes, it is very common now. Quick fix:

chmod 000 xmlrpc.php

...will stop them for good!

linuxthefish

@noosVPS said:
Yes, it is very common now. Quick fix:

chmod 000 xmlrpc.php

...will stop them for good!

It's me being hit, not by site being used to attack others

alexh

@linuxthefish said:
It's me being hit, not by site being used to attack others

His fix will work for you, too.

http://blog.spiderlabs.com/2014/03/wordpress-xml-rpc-pingback-vulnerability-analysis.html

You can also disable pingbacks in your theme functions file:

noosVPS

linuxthefish said: It's me being hit, not by site being used to attack others

Lol dude you are being hit on this particular file: xmlrpc.php.

Chmod 000 and let them hit at 403 forbidden!

linuxthefish

Got that file deleted, and still no good

noosVPS

Give it some time.. Are you still seeing "verifying pingback" in the logs? If php processes still running like crazy let me know

linuxthefish

Nope, still going on...

noosVPS

ps auxfee > /root/process.txt

Check /root/process.txt, you should have more info about php-cgi processes - details like php file that is being executed, remote ip, port, environment variables etc..

Hopefully that should help you pinpoint which script is being hit.

alexh

noosVPS said: Check /root/process.txt, you should have more info about php-cgi processes - details like php file that is being executed, remote ip, port, environment variables etc..

It looks like an HTTP DoS as opposed to a pingback attack; All requests are GET, and made to the index. Have you installed W3 Total Cache? @linuxthefish

linuxthefish

Sorry for the quick first post, however I fixed this by switching to pm = ondemand and 100 max children (goodbye ram).

Mun

Use cloudflare, one option!

Two you could use some PHP code to exit the process for anything that has a referrer of wordpress.

apollo15

cloudflare wont do anything.

Block WordPress user-agent and you will be fine.

Mun

@apollo15 said:
cloudflare wont do anything.

Block WordPress user-agent and you will be fine.

Then you dont know cloudflare.

jmginer

If wordpress != upgraded
then suspend website

nexmark

@Mun said:
Then you dont know cloudflare.

Cloudflare can soak up most attacks however they're useless for Layer 7 application targeted floods, if you want nice protection you would have to either upgrade to their pro or business plan. I got fed up with Cloudflare so I used a cheap OVH VPS as a reverse proxy and that works quite well for my needs ands its been working since then.

What Cloudflare was doing was it doesn't detect the XML-RPC ping back DDoS and it passes it as a true legitimate request then Lite speed webserver thinks Cloudflare the the orgin of the flood then blocks Cloudflare which means my site is offline at that point which is a big no no.

I had the pro plan, I also think Incapsula is better than Cloudflare in many areas however nothing beats Cloudflare free for basic attacks

linuxthefish

Just to be clear, it's not my wordpress install sending out attacks - I've got pingbacks disabled, as well as a plugin that stops it. I also updated last night before most of the attacks on my site

nexmark

@linuxthefish said:
Just to be clear, it's not my wordpress install sending out attacks - I've got pingbacks disabled, as well as a plugin that stops it. I also updated last night before most of the attacks on my site

Have you tried Nginx with Test cookie and or rate limit requests per ip

Mun

@linuxthefish said:
Just to be clear, it's not my wordpress install sending out attacks - I've got pingbacks disabled, as well as a plugin that stops it. I also updated last night before most of the attacks on my site

I still suggest a simple php code or lighttpd rule that blocks a request if the http_user_agent contains wordpress


<?php if(strpos($SERVER['HTTP_USER_AGENT'], 'wordpress') !== false) { exit('bad user agent'); } ?>


linuxthefish

Mun said: I still suggest a simple php code or lighttpd rule that blocks a request if the http_user_agent contains wordpress

Apparently it's not possible to add a rewrite rule for HTTP referer, but i'll try the above code also.

nunim

I've run into these more and more lately, a simple rule for WordPress user agent blocks it fairly well.

It doesn't look like that many IP addresses attacking you, it's relatively easy to parse your access-log for unique IPs and add them to CSF (or iptables).

linuxthefish

@nunim said:
I've run into these more and more lately, a simple rule for WordPress user agent blocks it fairly well.

It doesn't look like that many IP addresses attacking you, it's relatively easy to parse your access-log for unique IPs and add them to CSF (or iptables).

I did with fail2ban, more just kept coming

apollo15

@Mun said:
Then you dont know cloudflare.

Really? really? I have had this type of attack dozen of times under free and pro cloudflare accounts.

How many times were you hit? You must have been on business or enterprise package if they mitigated this.

Gadelhas

@apollo15 said:
How many times were you hit? You must have been on business or enterprise package if they mitigated this.

I'm on business package and didn't feel anything on my server, I guess that they mitigated the attack

awvnx

Why don't you just cache your Wordpress? Then the / index hits will be served instantly.

Cloudflare can even do this for you if you set up the rules to cache dynamic pages. I doubt you need your blog to be updated every second anyway.

Mun

@apollo15 said:
How many times were you hit? You must have been on business or enterprise package if they mitigated this.

I was on the free plan, never had an issue when I was hit by a few login brute force bots and such.

apollo15

@Mun said:
I was on the free plan, never had an issue when I was hit by a few login brute force bots and such.

No comment. You do realize it is not brute-force, not even similar, right?

alexh

apollo15 said: No comment. You do realize it is not brute-force, not even similar, right?

Brute-forcing, while having an end goal of obtaining valuable user information, still remains a type of DoS attack. Both have similar results, as a large amount of requests are made in a short period of time.

msg7086

@Mun said:

With Nginx,

if ($http_user_agent ~* wordpress) {
    return <del>403</del> 444;
}

and will save you precious FastCGI connections.

nexmark

@msg7086 said:
and will save you precious FastCGI connections.

return 444;

Would be better
http://httpstatusdogs.com/444-no-response

Mun

@apollo15 said:
No comment. You do realize it is not brute-force, not even similar, right?

Yes.....

@alexh said:
Brute-forcing, while having an end goal of obtaining valuable user information, still remains a type of DoS attack. Both have similar results, as a large amount of requests are made in a short period of time.

Indeed

@msg7086 said:
and will save you precious FastCGI connections.

He isn't using Nginx, and 'if' inside nginx is BAD!